MsiLockPermissionsEx issue
I am having issues with MsiLockPermissionsEx table.
When locking permissions, no matter what ACL flag is (P, AI, AR or combinations) existing explicit permissions are replaced by new ones and no inheritance from parent container is preserved. For instance, the following SDDLText:
D:AI(A;OICI;FWFR;;;AU)
does explicitly set read and write permissions for my object, but other existing ACEs (for example for Administrators and Users) are lost, and permissions from parent folder are *not* inherited. This is weird, as the documentation from Microsfot clearly states, that MsiLockPermissionsEx table supports inheritance.
Is this a bug or am I missing something?
This behavior has been observed on different machines (Win 7 32bit/64bit) with different test packages. Databases have been successfully checked against ICE, no errors were shown in logs. Adjusting schema in summary information does not change anything. Databases have been created in Wise, and MsiLockPermissionsEx stuff was added via Orca from the newest SDK.
Parent folder permissions are normally propagated to children (running the same SDDL string via secedit does the job - permissions are inherited then). I tried locking objects in Program Files, its children or other test folders - still no success.
When locking permissions, no matter what ACL flag is (P, AI, AR or combinations) existing explicit permissions are replaced by new ones and no inheritance from parent container is preserved. For instance, the following SDDLText:
D:AI(A;OICI;FWFR;;;AU)
does explicitly set read and write permissions for my object, but other existing ACEs (for example for Administrators and Users) are lost, and permissions from parent folder are *not* inherited. This is weird, as the documentation from Microsfot clearly states, that MsiLockPermissionsEx table supports inheritance.
Is this a bug or am I missing something?
This behavior has been observed on different machines (Win 7 32bit/64bit) with different test packages. Databases have been successfully checked against ICE, no errors were shown in logs. Adjusting schema in summary information does not change anything. Databases have been created in Wise, and MsiLockPermissionsEx stuff was added via Orca from the newest SDK.
Parent folder permissions are normally propagated to children (running the same SDDL string via secedit does the job - permissions are inherited then). I tried locking objects in Program Files, its children or other test folders - still no success.
0 Comments
[ + ] Show comments
Answers (6)
Please log in to answer
Posted by:
SandeepPanat
12 years ago
Wise doesn't support this table for sure. I assume you don't have LockPermissions table in your msi.
What conditions (and how many) have you specified in the Condition column?
What conditions (and how many) have you specified in the Condition column?
Posted by:
anonymous_9363
12 years ago
Forget the MSILockPermissionsEx and LockPermissions tables and use a third-party tool through a Custom Action. Not only do they almost all by default add to ACEs rather than replace them (although they can also replace), the syntax is much easier! LOL
If you have to stick with the table, one of the ACL tools, SubInACL, can display SDDL strings for objects so, you can set the permissions you want, then use SubInACL to show the required syntax.
If you have to stick with the table, one of the ACL tools, SubInACL, can display SDDL strings for objects so, you can set the permissions you want, then use SubInACL to show the required syntax.
Posted by:
Marcin Otorowski
12 years ago
Thanks for your feedback.
@SandeepPanat
Obviously, Wise does not support it (and many other things). I just used it to produce standard test package.
I am not using LockPermissions at the same time, otherwise I would get ICE error.
I am also not specifying any conditions. SDDL is always applied, which is confirmed by analysis of logs. Like I said, the only issue is that it does not preserve inheritance - everything else works O.K.
@VBSCab
I am well aware of bunch of tools to deal with SDDL. I am not particularly forced to use any of them, but the advantage of MsiLockPermissionsEx is that it is standard action in MSI. Custom actions can be problematic in some scenarios and policies.
Moreover, using SubInAcl (and other similar tools) has one problematic drawback. If I want to deploy an object, which does not replace anything (e.g. it is a new folder with no explicit permissions) then subinacl will not help, as it can show the current SDDL of any *existing* object, otherwise it produces error.I used my own tool and secedit to generate SDDL syntax, so the problem is not in getting the correct SDDL itself, but rather applying my required set of rules with preservation of whatever custom rules have been set on target machine. During authoring process I don't know, what is the particular configuration of target machine, so I must plan carefully any actions, involving security rules.
So after all, there are three reasons I would like to use MsiLockPermissionsEx table:
1) it is standard built-in action
2) it is stated (by Microsoft) to support all necessary stuff
3) I am trying to develop my own tool and documentation of this feature. Commercial authoring tools are really poor if not worse, as far as support for MsiLockPermissionsEx is concerned.
But the fact, that all available documentation states it should work, while it is *not* working really drives me mad. Any other ideas are appreciated.
@SandeepPanat
Obviously, Wise does not support it (and many other things). I just used it to produce standard test package.
I am not using LockPermissions at the same time, otherwise I would get ICE error.
I am also not specifying any conditions. SDDL is always applied, which is confirmed by analysis of logs. Like I said, the only issue is that it does not preserve inheritance - everything else works O.K.
@VBSCab
I am well aware of bunch of tools to deal with SDDL. I am not particularly forced to use any of them, but the advantage of MsiLockPermissionsEx is that it is standard action in MSI. Custom actions can be problematic in some scenarios and policies.
Moreover, using SubInAcl (and other similar tools) has one problematic drawback. If I want to deploy an object, which does not replace anything (e.g. it is a new folder with no explicit permissions) then subinacl will not help, as it can show the current SDDL of any *existing* object, otherwise it produces error.I used my own tool and secedit to generate SDDL syntax, so the problem is not in getting the correct SDDL itself, but rather applying my required set of rules with preservation of whatever custom rules have been set on target machine. During authoring process I don't know, what is the particular configuration of target machine, so I must plan carefully any actions, involving security rules.
So after all, there are three reasons I would like to use MsiLockPermissionsEx table:
1) it is standard built-in action
2) it is stated (by Microsoft) to support all necessary stuff
3) I am trying to develop my own tool and documentation of this feature. Commercial authoring tools are really poor if not worse, as far as support for MsiLockPermissionsEx is concerned.
But the fact, that all available documentation states it should work, while it is *not* working really drives me mad. Any other ideas are appreciated.
Posted by:
Marcin Otorowski
12 years ago
I could. But if MsiLockPermissionsEx supported the same functionality (meaning *inheritance* according to documentation) CA would be pointless. Not only it requires custom rollback script, but also consumes time to create template, requires deploying security template to target machine etc.
Still, it's very annoying, that Windows Installer does not behave as required and stated by Microsoft - no scenario I performed (different machines, packages) worked with inheritance enabled.
Still, it's very annoying, that Windows Installer does not behave as required and stated by Microsoft - no scenario I performed (different machines, packages) worked with inheritance enabled.
Posted by:
anonymous_9363
12 years ago
The other problem I have with the use of the permissions tables is that it wastes resources, in that permissions get applied to all the objects which the table entries point at.
My permissioning CA is positioned immediately after the package's CreateFolder action. It then permissions that and then relies on simple inheritance to permission files contained therein. For smaller installations, the difference is minimal but for the clunkers, waiting for permissions to be applied to 'x' hundred files can add a significant delay to a deployment.
My permissioning CA is positioned immediately after the package's CreateFolder action. It then permissions that and then relies on simple inheritance to permission files contained therein. For smaller installations, the difference is minimal but for the clunkers, waiting for permissions to be applied to 'x' hundred files can add a significant delay to a deployment.
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.